Public Bill Committee

[Philip Davies in the Chair]

Clause 40  - Unauthorised acts causing, or creating risk of, serious damage

Elfyn Llwyd: I beg to move amendment 35, in clause40,page34,line40,at end insert—
‘(1A) For the purposes of subsection (1)(a) an unauthorised act can include installing spyware software onto a computer, where the owner’s explicit consent has not been given.”.

Philip Davies: With this it will be convenient to discuss amendment 36, in clause40,page35,line13,at end insert—
“(g) harassment or alarm or distress which has a substantial impact on the victim’s day-to-day activities.”.

Elfyn Llwyd: Clause 40 adds to the Computer Misuse Act 1990 a new list of unauthorised acts, which are defined as acts causing “serious damage”. I thought it might be helpful to specify that an unauthorised act can include installing spyware software on a computer unless the owner of the computer has given explicit consent.
Members of the Committee may be aware that in 2011-12 I chaired a cross-party group of Members of both Houses that looked into reviewing the law on stalking. During our inquiry we took evidence on cyber-stalking, and I learnt that 50% of all crimes in the UK now involve a cyber element. That is a shocking statistic.
Cybercrime is becoming more and more prevalent. We have all had cases in which vulnerable people—often, though not necessarily, elderly people—are preyed upon by someone pretending that somebody has defrauded them at their bank and they had better move their money. I have had many of those cases in the past few weeks; it is troubling. Age Concern reckons that such crimes are worth between £10 billion and £15 billion per annum—again, that is absolutely staggering. Only a small number of the people affected will ever get their money back.
We know how many people have access to the internet, through computers and telephones—for the purposes of the Computer Misuse Act the definition of a computer can include telephones. It is no wonder that more and more criminals perpetrate crimes on computers. Those crimes can vary from libel and fraud to stalking and even domestic violence.
It could be argued that installing spyware software is already an offence under the Computer Misuse Act since it is necessary to install the software on the computer or phone, and doing so is an unauthorised modification of the device, as well as being a means of obtaining data from it. Amendment 35 is intended as a probing amendment, as I want the Committee to discuss how we can improve the number of prosecutions of perpetrators who have been doing that.
Perpetrators can install the software on a device either in person or via a virus. They can disable preventive software that would otherwise protect devices, such as firewalls or anti-virus software. Perpetrators of stalking are sometimes able to enable location services remotely on other people’s devices, so that they can track where the person is. They can also send texts or e-mails that appear to come from the victim but of course do not, or change the privacy settings of victims’ online profiles, making them vulnerable to hackers. I understand that it is even possible from a remote location to enable a webcam to broadcast, unknown to the user, so that the victim is effectively broadcasting themselves on the internet without being aware that they are doing so. I am sure members of the Committee will agree that the implications of all those acts are worrying.
Amendment 36 has the same rationale of probing behind it. It would amend clause 40 to add to the list of acts causing damage to human welfare that subsection (2) inserts into the Computer Misuse Act behaviour that causes
“harassment or alarm or distress which has a substantial impact on the victim’s day-to-day activities.”
I have deliberately used parts of the definition of stalking in section 2A of the Protection from Harassment Act 1997, which was passed in 2012 as a result of our inquiry’s work. We argued then that stalking should be defined in relation to the actual impact of the crime on its victim. In that sense, it seems that stalking should certainly be classified as a behaviour which can cause “damage to human welfare”. It is certainly relevant in this case, as so many perpetrators of stalking engage in cyber-abuse of their victims.
I would also welcome some clarification from the Minister as to whether victims are protected under the Computer Misuse Act 1990 if the applications affected are in the cloud, as opposed to being on the victim’s computer or telephone. If an offender hacked into the cloud, would that qualify as a misuse of the computer or device on which the cloud services were running? Given that most of the cloud’s services in question are offshore, I presume that that would introduce other complications. I would welcome the Minister’s comments on the amendments. I have no intention of dividing the Committee on them, but I believe that they are important and I hope that she will respond to them in detail.

Steve Reed: It is a pleasure to serve under your chairmanship, Mr Davies, not least as you have the entire job of chairing. Normally I am co-chairing our all-party parliamentary group with you. I want to make a few comments about the amendments tabled by the right hon. Member for Dwyfor Meirionnydd. There is a gap in the Home Office’s thinking on cybercrime; that is evident in the Bill. We have heard plenty about the serious threat to national security caused by cyber-attacks but little on what we might term low-level crime which affects individuals and businesses.
Amendment 35 specifies that
“an unauthorised act can include installing spyware software onto a computer”.
That is in line with Labour’s thinking on the subject. The term “computer” perhaps needs to be a little broader, to encompass the other devices by which people may access the internet. In terms of securing the owner’s “explicit consent”, we need to encompass those circumstances and occasions when an individual is tricked into giving their consent to harmful software being installed on their computer without them fully realising the intentions or what the software will do. Our proposed new clause 14 would see a responsibility placed on internet service providers to report to their users where such behaviour is evident from the usage data to which they have access.
Amendment 36 is to be welcomed, because it might reasonably be taken to focus on low-level crime. The Government have not looked at that properly, despite the opportunity presented by the Bill. Surveys tell us that business crime, in particular, is rising, yet it is not included in the official figures. Figures from Financial Fraud Action UK show that between 2013 and 2014, online banking fraud went up by 71%, e-commerce fraud went up by 23%, card fraud overall went up by 15% and half-year fraud losses on UK cards are now at their highest—£247 million—since 2008. In addition, remote banking fraud went up by 59%.

Andrew McDonald: As we have been sitting here, I have received an e-mail telling me that my tax return was incorrectly filled out. It is from John Smith, who draws to my attention some mistakes made. It asks me to press “here” to “follow the advice of the tax specialist”. I do not exactly have donkey ears, so I will not be pressing “here” or anywhere else.

Steve Reed: I congratulate my hon. Friend on spotting that attempt to defraud him. I hope that other people will learn from his example and be very wary when receiving scam e-mails and messages.
There are serious implications for the small and medium businesses we rely on, as well as for the individual, who is increasingly turning to the internet for shopping. We have seen that particularly over the Christmas and new year sales period. It is those people who are being let down by the Government, who are being too complacent about this form of crime, which is still rising. Just last week, the Minister for Crime Prevention said:
“Up to now, cybercrime has been a lesser interest.”—[Official Report, 5 January 2015; Vol. 590, c. 10.]
There is a shared responsibility to tackle cybercrime. It is for the Government to show clear leadership and ensure that legislation is up to date, and it is for the police to investigate and prevent cybercrime. However, internet service providers have an important role to play in educating their users and warning them of potential threats to what amendment 36 terms “day-to-day activities”, which for most of us could be something as simple as online shopping. Indeed, it is in the face of those threats to daily activities that the Government’s lack of leadership on cybercrime is most evident. A report last year by Her Majesty’s inspectorate of constabulary said that
“officers told HMIC that they are poorly equipped to provide advice to the public about what they need to do to keep themselves safe online.”
The report further found that
“the gap between the threat and police capability is widening.”
It said:
“The capabilities to tackle cyber crime should not be the preserve of the specialist officer; every police officer needs an understanding of it and the capabilities to deal with the cyber crime they will encounter.”
The report stated:
“HMIC found that the police’s capacity and capability to respond to national threats was stronger in relation to some threats than others.”
It concluded:
“The police service must very soon be able to operate just as well in cyberspace as it does on the streets today.”
Protecting the day-to-day activities of individuals and businesses that are targeted by cybercriminals should be at the core of any Government strategy on cybercrime. It is an important principle and one that we support. I look forward to what I hope will be the Minister’s positive comments on the amendments.

Karen Bradley: It is a pleasure to be back here under your chairmanship, Mr Davies. I thank the right hon. Member for Dwyfor Meirionnydd for bringing the issue of harassment to the Committee’s attention through the amendments and I pay tribute to the work that he has done, particularly in the all-party group on stalking and harassment.
The amendments may not be, strictly speaking, what we have in mind when we think about the scope of clause 40, that being unauthorised acts causing, or creating risk of, serious damage, but it is right that the Committee should recognise the devastating impact that online harassment can have on victims. I think that we have all seen, as constituency MPs, examples of constituents who have suffered abuse online that would never have happened in the street. People feel that because it is online, they have anonymity; they appear to become desensitised to what is being said. We have to be clear that if it is illegal offline, it is illegal online. The Government are absolutely clear that abusive and threatening behaviour online, whoever the target, is totally unacceptable. I repeat: what is illegal offline is also illegal online. We have robust legislation in place to deal with internet trolls, cyber-stalking and harassment and perpetrators of grossly offensive, obscene or menacing behaviour.
The hon. Member for Croydon North, whom I welcome to his place—it is very nice to be debating with him, too—talked about fraud, which is not strictly speaking what we are talking about with the amendments, but it is worth making the point. He talked about Financial Fraud Action UK. I visited its offices a few months ago and am very impressed by the work that it does to keep us all safe online. We can all do more to raise awareness of that, and I would be very happy to work with the hon. Gentleman on ideas about how we can get messages to our constituents, through our constituency offices, about things that they should do.
I will give an example. I know that we are talking about activity online, but at the moment there are a lot of vishing phone calls, whereby fraudsters are calling people and saying that they are their bank or one of their financial providers and they are staying on the line when people do not put their phones down long enough to disconnect them. I want us all to raise awareness of that, because if people put their phone down for five minutes, they will disconnect the call, which means that the fraudster or scammer cannot get the information from them. We should all work hard to do that. I would welcome working with Opposition Front Benchers and Government colleagues to make sure that we raise awareness of such things.
We should also all take simple measures online—as GCHQ put it, the simple disinfectant that it estimates could protect us all from 80% of online attacks. That includes making sure that we have up-to-date antivirus software and have installed protection against malware, and that we update and have complex passwords. I know that it is a pain, when people come into work in the morning, to have to log in using a three-word password that has numbers, letters and characters in it, but it is absolutely essential. I have seen too many examples of people who have been caught out, because criminals are using the internet to try to attack us all.
We also need to be clear: in many cases, it is the same crime online as it is offline—it is fraud, financial loss, or a personal attack—but because it happens online, criminals are able to access so many more of us. If somebody walking down the street has paint thrown at them, that is clearly abusive behaviour. The equivalent behaviour online can be done to millions of internet users in one go, whereas the paint might only be thrown at one person. The access for criminals to hurt us all online means that we have to be smart, clever and ahead of the game. I can also assure the Committee that the people I have met—those in law enforcement and others—who are helping us to fight this crime have very big brains. I know that our people with very big brains have bigger brains than any of the criminals, so we need to work together to make sure that we raise awareness and that our constituents are safe.

Sarah Champion: I agree that law enforcement people have very big brains, but does the Minister think that they have big enough budgets, because that is the one thing that I see they are lacking?

Karen Bradley: I will come on to the amount of money that the Government have invested in cyber. The examples I have seen of cybercrime units—the national cybercrime unit that is housed at the National Crime Agency and the regional cybercrime units that are housed in the regional organised crime units—have significant resource. We have made sure that resource is protected for cybercrime. We need to make sure that all law enforcement understands that even if something happens online, it still has a fingerprint. There is a still a way to track and detect that crime. The investigation techniques, in the broadest sense, are the same for all types of crime. It is just that the way of finding that fingerprint is not the traditional powder that might have been used previously; it is done using online technology.
There are opportunities from digital for us all. For example, I suspect that we all have a wi-fi box in our homes. The previous Minister for Crime Prevention, the right hon. Member for Lewes, will know well that when a criminal breaks into someone’s house carrying a smartphone, that smartphone will try and access the person’s wi-fi. Their wi-fi therefore has a digital fingerprint of that smartphone number. We need to make sure that that sort of intelligence is being used—as I know it is—by police officers who come and investigate the break-in, and that they are using the digital opportunities to track criminals as well as the traditional investigation techniques that they have always used.
While I am talking generally about cybercrime, I want to mention Action Fraud, which has been talked about at some length. I am proud that Action Fraud is now housed in the City of London police together with the National Fraud Intelligence Bureau. It is important that we put Action Fraud’s capabilities under the roof of the City of London police, which has such expertise in investigating fraud. I visited Action Fraud and I am very impressed by the team working there, because Action Fraud is a national repository—or depository, depending on whether they are holding the information or receiving it—and it has the ability to take all the information about all the fraudulent crimes committed across the country, store it in one place and spot the indications and common threats. It might involve the same bank account or the same mobile phone number. People who report to Action Fraud will assist in making sure that information and intelligence about crimes is available to the law enforcement agencies so that they can build a picture. Action Fraud builds that picture and makes sure that the most appropriate local police force investigates the crime. I think that that is right.
A constituent who has been the victim of online fraud might come to me in Staffordshire Moorlands. They do not know where the fraudster was located, but they have a bank account number and they might have a mobile phone number. We give that information to Action Fraud, which can then say whether it is the same mobile phone and bank account number that was implicated in a fraud that happened in Middlesbrough, Rotherham, Croydon, or Birmingham, and then it can start to track from where the mobile number is being used and where the bank account is.
Staffordshire police do not have to investigate the crime, even though the victim was in Staffordshire. The police force local to where the bank account is held can do the investigation. That is the theory and practice behind how Action Fraud operates. I have said this in the House and I will continue to say it: I want to see Action Fraud communicate that to victims. Victims of crime want to be told that the crime is being taken seriously, and they want to understand how the information is disseminated to the right local police force to investigate the crime. Again, there is much that we can do to ensure that that information is given to victims of crime so that they have the security they need.
The hon. Member for Croydon North mentioned a comment in the House last week about cybercrime being “a lesser interest”. I think that the Minister for Crime Prevention, my right hon. Friend the Member for Hornsey and Wood Green (Lynne Featherstone), did not intend for it to sound the way it did. I think she was trying to say that it is something we are getting to grips with to understand more. Cybercrime has never been of lesser interest—crime is crime; it does not matter where it happens—but perhaps, from a police point of view, it has been difficult to understand. We need to get more training through the College of Policing and elsewhere—I will talk about that shortly—to make sure that local police understand about cybercrime and are not scared by it, but know how to deal with it.
The Government recognise that laws to deal with internet abuse are not sufficient on their own. Police and prosecutors need the capacity and knowledge to work within a complex legal framework to meet the jurisdictional challenges of the online world, and to understand and balance legitimate concerns about civil liberties. To support this, in July 2013 the Crown Prosecution Service published guidelines for prosecutors on the approach that they should take in cases involving communications sent via social media. The guidelines seek to draw the difficult balance between protecting freedom of speech and acting robustly against communications that cross the threshold into illegality. The College of Policing also wrote to all chief officers in July 2013 with advice on tackling online abuse.
The hon. Member for Croydon North talked about the definition of a computer. I have written to my hon. Friend the Member for Norwich North (Chloe Smith) about her contribution on Second Reading. I hope all members of the Committee have a copy of the letter, which explains the definition of a computer and how the law would define it so that it includes smartphones and tablets, and not just a desktop computer.
We recognise that there is still more to do, and we continue to work with the police and the Crown Prosecution Service to raise awareness and improve professional knowledge. Since October 2012, the College of Policing training package on investigating stalking effectively has been completed more than 56,000 times by police officers. The College of Policing is also undertaking a review of how stalking incidents are investigated by the police, which will include how the police understand what constitutes a course of conduct in policing, how the police support victims, and further training on the appropriate use of police information notices.
To ensure prosecutors’ knowledge is continuously refreshed, in April 2014 the Crown Prosecution Service launched a specific e-learning module on stalking, which focuses on victim support, working with the police, and ensuring that a strong case is built from the start. More than 1,500 Crown Prosecution Service staff have completed training in stalking.
Amendment 35 would add installing spyware to the definitions of an “unauthorised act” for the new offence. The circumstances of installing spyware on a computer without the owner’s consent is already covered by a combination of the arrangements in clause 40 and the definitions in the Computer Misuse Act 1990, particularly in section 17, which provides for the interpretation of that Act which also applies to clause 40.
Amendment 36 would extend the definition of serious damage to human welfare by adding harassment, alarm or distress that has a
“substantial impact on the victim’s day-to-day activities.”
It is right that the new offence should recognise impact on victims, which is why we have included provisions on serious damage to human welfare. Such damage includes “human illness or injury” under subsection (3)(b) of proposed new section 3ZA of the 1990 Act. It would therefore be for a juror to decide whether a serious cyber-attack that caused substantial harassment, alarm or distress was such that it constituted “human illness”. The purpose of the amendment is therefore already provided for.
This offence is designed to respond to serious cyber-attacks. If a cyber-attack has caused serious damage to human welfare, a person guilty of the offence would be liable on conviction to life imprisonment. In such circumstances, it is right that we have made “human illness or injury” the threshold for serious damage to human welfare. Without wishing to diminish the impact on victims, I do not believe that substantial harassment, alarm or distress should be included.
I want to make a few comments about stalking, which is, as I am sure we all agree, an appalling crime that can destroy lives. That was why the Government introduced new laws in 2012 that sent a clear message that those responsible should be brought to justice. The right hon. Member for Dwyfor Meirionnydd should take credit for those laws because the work of his all-party group formed part of the thinking behind them. Our new laws will help to stop people from living in fear and prevent escalation to more serious violence. In 2013-14, more than 700 prosecutions were commenced under the new stalking legislation. That represents a significant increase from 2012-13 and shows that the legislation is taking effect. Notably, three people were jailed last year for improper use of a communications network under section 127 of the Communications Act 2003 following online abuse directed at Caroline Criado-Perez and the hon. Member for Walthamstow (Stella Creasy), who had been campaigning for a woman to appear on £10 banknotes.
Changes to the law under the Criminal Justice and Courts Bill will increase the maximum penalty for offences under the Malicious Communications Act 1988 to two years’ imprisonment. That will mean that more serious offences can be dealt with in the Crown court and that there will not be a time limit for bringing prosecutions, thus allowing more time for offences to be investigated. Alongside that, the Government are extending the time within which prosecutions under the Communications Act 2003 may be brought to up to three years, as opposed to the previous six-month limit. I hope that I have demonstrated to the right hon. Gentleman that we take very seriously the need to tackle online harassment effectively and that, in the light of this useful debate, he will be content to withdraw his amendments.

Elfyn Llwyd: I am grateful to the Minister for her detailed response to amendment 35, the purport of which she explained is already covered by the Computer Misuse Act 1990 and clause 40. I am happy with that particular aspect, but I am still a little concerned about excluding harassment and distress from the provisions. She said that they could conceivably come within “human illness or injury”, and while I suppose that that is not ruled out altogether, it is not explicit in the Bill either. She also said one particularly encouraging thing about having wi-fi in premises where someone intrudes. I was burgled a few days before Christmas, so I have to remind my good friends in the North Wales police of what she said. All is not lost with this particular group of provisions, but I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Steve Reed: I beg to move amendment 41, in clause40, page35,line36,at end insert—
‘(4) Internet service providers must take all reasonable steps to notify a customer of an unlawful attempt to compromise his or her internet-connected device.
(5) In this section “internet service provider” has the same meaning as in section 124N of the Communications Act 2003 (interpretation).”.
It is a pleasure to propose the amendment. The Government’s figures put the cost of cybercrime to UK citizens at £3.1 billion per year, which is an incredibly significant amount. Of that, £30 million is lost to scareware and £1.4 billion to online fraud of the type just combated by my hon. Friend the Member for Middlesbrough. Identity theft, which can be carried out using malicious software, costs some £1.7 billion per year.
The amendment would place a duty on internet service providers to take all reasonable steps to inform their customers if their computer was being misused, which relies on information readily available to ISPs, as a spike in internet use will often reflect a hacking attempt. It would also add a preventative measure to cut off potential misuse at its source as it is happening.
The principle is used in similar measures in other countries. In 2008, the Australian Government conducted a review of their cyber-security. One recommendation was a code of practice for internet service providers, which was led by the Internet Industry Association of Australia. The iCode, as it has been dubbed, has three aims: to empower citizens to be responsible for their own security online; to encourage the sharing of data among ISPs; and to standardise the steps that ISPs should take when a user’s computer has been compromised. It is part of an effort to provide a broader and more consistent message, in simple language, for individuals and to encourage ISPs to work together to identify compromised devices and potential threats.
A good case study shows how the measure might be implemented in practice in the United Kingdom. An ISP identified a compromised computer that had been infected with malware on its service. It was running as part of a hacking network and, as is often the case, the user was completely unaware. The ISP attempted to contact the user to offer advice on removing the malware. After 42 attempts to e-mail her, there was no reply, so every time she attempted to use the internet after that, she was redirected to a warning page notifying her of the problem before cutting off her internet service. It was only then that she finally made contact with the company, which was able to assist her with securing her computer. That is, perhaps, a rather extreme example, as it is likely that most people would contact their ISP before being cut off, but it is an example of the sort of technology that is available to tackle computer misuse at source and disrupt hacking networks.
The code in Australia is Government-backed, but industry-led. A similar, voluntary code is in practice in the United States, where the Federal Communications Commission implemented the Australian model. ISPs have agreed to take meaningful action to detect threats and educate users. In particular, there is a requirement in the code of conduct to notify users when malware appears on their computers. About half of all internet users in the US are covered by the code.
The original aims of the Australian model are also applicable in the UK. In particular, the sharing of data among ISPs can be a huge issue, but it is something that the Government should encourage. ISPs are often reluctant to share their information with law enforcement and that can involve a slow process. By putting the responsibility in their hands, ISPs will be able to maintain their independence while contributing to the fight against cybercrime.
Individuals and business users also need to be more empowered. The Minister for Crime Prevention told the House last week:
“What is illegal offline is also illegal online.”—[Official Report, 5 January 2015; Vol. 590, c. 10.]
Just as we would encourage the public to take what are now everyday, sensible safety precautions, such as locking doors and windows, we should encourage internet users to be safe and to act safely online.
Perhaps the most important point is that preventing crime is always better and less costly than clearing it up afterwards. Advanced crime prevention technology played a major part in cutting acquisitive crime. Despite the increasing prominence of items worth stealing over recent decades—TVs, cars, mobile phones, laptops and so on—acquisitive crime began to fall as people installed alarms, immobilisers and mobile phone security. Simply put, these advances in prevention made crime more difficult, and that is as important today for internet-based crime as it has been for traditional crime offline. The technology is readily available to internet service providers, which can already see when hacking operations are under way. It would be helpful if we could put more pressure on them, through the Bill, to take on the role that they could play to ensure that such operations are prevented.

Karen Bradley: I am grateful to the hon. Gentleman for tabling the amendment and giving me the opportunity to set out the industry’s important role in tackling cybercrime. I also want to pay tribute to my right hon. Friend the Member for Basingstoke, who raised this point on Second Reading. She was incredibly active in this field in her previous ministerial role and has done much to raise awareness of the threat of cybercrime within the industry, but there is more that we can do. I certainly want cybercrime and cyber-security to be taken seriously at board level, not merely at junior management level. I want companies to discuss this every day at board level to make sure that they take it seriously.
Our cyber-security strategy, which was launched in 2011, highlights the shared responsibility of industry, internet users and the Government in ensuring that the UK is one of the safest places to do business. This principle is reinforced in the Protect strand of the serious and organised crime strategy. We continue to work closely with the industry to raise awareness of the threats to revenues, reputation and intellectual property due to cyber-attacks. This has included the publication of Government advice to large businesses and smaller firms on how to improve their online safety, particularly the “10 Steps to Cyber Security” guidance for large businesses, and a small business cyber-security best practice guide. Furthermore, the Cyber Streetwise campaign is raising awareness of the cyber-threat among small businesses and encouraging small and medium-sized enterprises to take action to protect themselves.
There are scary numbers in relation to attitudes towards cybercrime, especially among small retailers. They are prepared to write off 20% of online sales and expect that to be the norm, but that cannot be right. We need to take action, but they need to take action, too. Simple measures can be taken and we all need to take the matter extremely seriously. As more and more of us carry smartphones and tablets, and access the internet and do our business online, we need to make sure that we are as secure as possible. It is clear that the Government cannot act alone against the threat of cybercrime. The hon. Gentleman is right that internet service providers have an important role to play in protecting their customers, but this will best succeed with a voluntary partnership approach, rather than statutory regulation.
We recognised that in December 2013 when we published “Guiding Principles on Cyber Security”. Those principles were co-developed and agreed with ISP partners, and they set out a series of principles and guidance for internet service providers. They provide a consistent and best-practice approach for ISPs to help to inform and educate their customers and to protect them from online threats. They cover areas in which internet service providers will work with their customers to raise awareness and to provide advice and security solutions, including reporting mechanisms.
Customer notification of a cyber-attack is helpful only if the customer has the understanding and tools to address the problem, which is why the guiding principles stress the importance of ISPs providing guidance and signposting tools that will help their customers to protect themselves. As I said earlier, GCHQ estimates that 80% or more of current successful attacks could be defeated by simple best practice, such as updating anti-virus software regularly. Good cyber-security and a healthy digital economy are not just about how the industry protects us. We, the public, have a responsibility to exercise good cyber-safety when we are using the internet.
Our approach is therefore not only focused on raising awareness across business, as it is also important that the public know how to protect themselves. That was why we launched the Cyber Streetwise campaign, the purpose of which is to encourage individuals and small businesses to adopt safer online behaviours to help better to protect them from cybercrime.
The amendment rightly draws attention to the important role for industry. However, in the light of all the work that we are doing with the industry, and in recognition of the reporting mechanisms to customers that have already been established in “Guiding Principles for Cyber Security”, legislating in such a way is not the answer, so I hope that the hon. Gentleman will withdraw his amendment.

Steve Reed: I thank the Minister for her response. Again, I draw attention to the example of the United States and Australia, where a Government-backed approach that is voluntary within industry, but relies on law to an extent, has proved extremely successful. I hope she will look at that again but, for the time being, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Philip Davies: With this it will be convenient to consider new clauses 13 and 14.

Steve Reed: Although we are taking new clauses 13 and 14 together, I will address them separately as they focus on rather different issues.
The Government tell us that crime is falling, but the truth is that crime is changing. That point was made earlier by my hon. Friend the Member for Birmingham, Erdington. Figures from Financial Fraud Action UK show that between 2013 and 2014, online banking fraud went up by 71%, e-commerce fraud went up by 23%, card fraud went up by 15% and remote banking fraud went up by 59%. I repeat those figures, which I used earlier, because they are very relevant in the context of the new clause. Those are all cyber-enabled crimes, and the figures confirm that as technology advances rapidly, so too does the nature of crime.
The Government tell us that what is illegal offline is also illegal online. While that seems a simple principle, there seems to be some confusion in practice at the Home Office. In 2011, the then Under-Secretary of State for Crime and Security, the hon. Member for Old Bexley and Sidcup (James Brokenshire), said that
“online attacks can have a significant real-world impact”.—[Official Report, 3 February 2011; Vol. 522, c. 1051.]
He promised co-ordinated action against online threats and co-operation with European partners to make Britain a tougher place for online criminals to operate in. That is all very commendable. However, four years on, the Minister for Modern Slavery and Organised Crime said just last week at Home Office questions that the Home Office is still “learning about the parameters” of cybercrime and “getting to grips” with it. The Minister for Crime Prevention, as we have already heard, said that cybercrime has been a “lesser interest” for the Government up until now.
The fact that the Government appear to have downgraded cybercrime from a significant real-world impact to a learning exercise will not be much comfort to the thousands of victims of cyber-enabled crime, a form of crime that is growing exponentially. Nor will it be much comfort that the Home Office has repeatedly ignored warnings about the growing threat of cybercrime, which is far outpacing the police’s capability to tackle it. The Minister talked about her visit to Financial Fraud Action UK. I had the pleasure of visiting it myself with my hon. Friend the Member for Birmingham, Erdington. I wonder whether she heard expressed the same concerns that the rate of growth in cybercrime is not being matched by a growth in the resources to enable the authorities to tackle it.
In 2013, the National Audit Office found that it could take 20 years to build the skilled work force necessary to deal with cybercrime. A 2013 Home Affairs Committee report on cybercrime noted that
“there appears to be a ‘black hole’ where low-level e-crime is committed with impunity.”
It also said:
“At a time when fraud and e-crime is going up, the capability of the country to address it is going down.”
A 2014 HMIC report found that only three police forces have a comprehensive cyber-strategy, while only 2% of the work force are trained to investigate cybercrime. Only 15 forces had even considered cybercrime in their strategic threat and risk assessment. In November 2014, HMIC published another report, warning that
“the gap between the threat and police capability is widening.”
Crime is not just changing; it has already changed. All the warning signs were there for the Government to see and to act upon, had they wished to do so. It is clear that the victims of cybercrime and those investigating it deserve stronger leadership than they have seen from the Government so far. Under the Police Reform and Social Responsibility Act 2011, elected local policing bodies must produce an annual report on the body’s functions and the progress made on the police and crime commissioner’s crime plan. Those annual reports are designed to instil confidence in the public that their police force is performing well. However, it is particularly worrying that only three police forces out of 43 have comprehensive cyber-strategies in place.
New clause 13 would take a big step towards ensuring that every police force has a strategy for reducing cybercrime. The public rightly expect to have confidence that their local police force has the necessary resources and strategy to reduce and prevent crime of all types, and cybercrime should be no different. That is why the new clause includes a requirement to measure how much progress is being made. I look forward to the Minister’s comments on that.
I turn to new clause 14 and the rather different matter of how we can further increase the protection of children online. The changing nature of technology has contributed to the changing nature of crime. Just as we are seeing low-level crimes carried out by and against individuals, so too are we seeing serious internet-enabled crimes being carried out as individuals and crime groups move online to evade detection and prosecution.
The Government have made welcome progress on tackling indecent material online. In particular, they have worked with four major ISPs to introduce filters and a search engine blacklist. Co-operation in the industry, facilitated by the Child Exploitation and Online Protection Centre and the Internet Watch Foundation, has resulted in progress in tackling public-facing material. However, there is an important distinction between that progress and potential loopholes that are aided by advancing technology. The proposed new clause would place a duty on internet service providers to tackle privately stored material where the offender might be using digital storage facilities to store indecent material, as defined by the Protection of Children Act 1978, specifically including images of child abuse.
Currently, the only way to identify this material is to look for it. That means that police officers might be required to view indecent material, which no doubt causes immense distress and, potentially, harm to them in their line of duty. As technology offers new opportunities for crime, so too can it help with crime prevention and detection, as we have seen with other proposals to work with internet service providers and the technology available to them. Lord Harris noted in another place that there is one piece of technology that essentially distils images and videos into numerical values that can then be matched against a database. The software, called PhotoDNA, is developed by Microsoft, is available free to ISPs and has a 98% detection rate. The potential is there for that, or similar technology to improve prosecution rates and reduce the distress placed on individual police officers, by automating the process. The principle behind it is also important; it is using technology to prevent technology-enabled crimes. I hope that is something that the Minister will be sympathetic towards.

Maria Miller: It is a pleasure to serve under your chairmanship, Mr Davies, and to speak in support of clause 40. We have heard a great deal in the Committee discussions today about how criminals game the system and how they trade off the risks of imprisonment against the rewards of their crime. The Bill is important because it attempts to redress the balance to help to ensure that crime does not pay.
When it comes to part 2 of the Bill, specifically clause 40, relating to the misuse of computers, some of those who seek to commit those crimes will be deterred by the prospect of life imprisonment if they seek to interfere with essential services such as fuel, power, food supplies or other essential parts of our infrastructure. However, others will have far more complex motivations. Cyber-attacks have been identified by the national security strategy as a tier 1 threat to national security.
I welcome the measures in the Bill, but ask the Minister to perhaps set those measures in a broader context for the Committee so that we can see how she anticipates that they will be successful. Tough laws are important and mean that we can punish those who act to disrupt our society, but those tough new laws need to be enforceable by the police and they also go hand in hand with more resilience in business. By increasing our resilience to cyber-attacks as a nation, we will have a more successful legislative framework. It is about sharpening the legal deterrents, but also ensuring that business and citizens take their responsibility in this area very seriously indeed.
We heard from the hon. Member for Croydon North some of the figures involved in the rapid rate of increase in these sorts of cyber-related crime Businesses must be looking at this issue as well and perhaps the Minister can give us some idea of the actions that they are taking. With these new criminal sanctions in place, what action is business taking to ensure that it closes down the opportunities for cybercriminal attacks to take place? What are the police doing to ensure that there are sufficient trained officers to detect such crime and successfully convict?
In many ways, Britain is leading the world on these matters and, as I highlighted at Second Reading, we should take pride in the fact that the Government have acted swiftly to deal with cyber-related crime problems. The measures in the Bill reflect that further. However, the Department for Business, Innovation and Skills’ own report, issued last year, shows that one in four large organisations detected that outsiders had successfully penetrated their networks in the last 12 months, and that figure has increased year on year. Of these organisations, 16% had had confidential data stolen. The cost of these breaches is increasing—indeed it has doubled in the past year. What is more concerning is that 70% of the organisations, according to the report, keep their worst security incidents under wraps.
The Minister is putting the right law in place to make it possible to punish those who attempt to damage this country’s crucial infrastructure, but research suggests that many organisations struggle to evaluate the effectiveness of their own security activities, according to the report. The interconnectedness of our supply chains in delivering the nation’s fuel, food, power and transport means that we are only as strong as our weakest link. The Minister, in responding to this debate, needs to make sure that we are aware of the context in which these new laws will operate. What is being done to encourage business to actively manage cyber-risk, in addition to Government legislating for it? We need business to act to reduce the number of crimes committed, because we know that the scale of cybercrime is growing rapidly.
Secondly, what plans are in place to ensure that the police have the right enforcement capability? If business is more effective, there will, we hope, be fewer crimes, but what are the police doing to ensure that officers are routinely trained in the collection of online evidence? Like it or not, cybercrime is routine as well as specialist policing.
Thirdly, what progress is being made on cross-border co-operation? This was raised by the hon. Member for Croydon North. As I mentioned in the Second Reading debate, the Government are to be applauded for their success in working across borders to tackle child exploitation. Is the Minister looking at that as a template for building broader co-operation?
Finally—this touches on the Opposition’s new clause—what are ISPs doing to ensure that illegal activity that occurs using their communication capabilities is acted upon when it is identified? The Government are doing the right thing and, as the 2013 Financial Times bellwether survey of FTSE 350 company secretaries has shown, 98%—almost all of them—are aware of the Government’s cyber-security guidance and more than two thirds have discussed it at board level, something that I know the Minister thinks is very important. However, it is clear that cyber-security is not always managed at board level and that some boards lack the skills necessary to identify and manage those risks.
The National Audit Office’s recent report identified that the range of industry-recommended standards and regulations risks confusing the situation, especially for small and medium-sized enterprises. The NAO has also identified that few people have the right technical expertise, and that there is a limited capacity among regulators to focus on this issue.
I welcome the action that the Government are taking. This is a Government that recognises that the law must be kept under constant review when it comes to the internet. The Minister has stated more than once this afternoon that what is illegal offline is illegal online too, but I gently encourage her to remember that the speed, impact and scale of online crimes are very different indeed. We have to make sure that the punishments available to the courts reflect the increased severity of crimes committed online. Perhaps the Minister will reflect on some of the issues that I have raised to reassure the Committee that the measures she is suggesting will be as effective as they need to be in a world where cyber-security and cybercrime are fast becoming part of everybody’s everyday life.

Norman Baker: I follow on from my right hon. Friend’s comments and endorse her view that business needs to do more to tackle cybercrime than it has done hitherto. We would have less sympathy for people whose houses are burgled if they had left their doors and windows open and unlocked, and for people who have their cars stolen because they left the keys in the ignition. In cyber terms, that is what some businesses are doing with the lack of protection for their businesses. So it is vital that businesses take more precautions than they are doing. I have come across one or two shocking lapses in business. One major retailer in this country supplied goods to an overseas address following an internet order, and it turned out to be completely fictitious. Huge amounts of money were lost supplying goods overseas; elementary checks would have prevented that. So there is work for business to do.
I agree that this is an international issue. No longer is fraud about someone who is doing a hoax on someone down the road; it could be someone on the other side of the world. We therefore need an international approach, which is indeed the approach that the Government has been taking.
I rise to correct the record. When the hon. Member for Croydon North spoke to new clause 13, he implied that the Government was somehow wrongly positioned or had not been doing work on these matters, but it has. I can assure him that, certainly in my time at the Home Office, it was doing a good deal of work. As the Minister for Crime Prevention, I did a good deal of work, as have the Home Secretary and other Ministers in the Department.
We also engaged regularly with the police and those involved in tackling fraud. Indeed, we engaged with the 43 forces throughout the country. It is true to say, as the hon. Gentleman suggested, that the police are sometimes behind the curve on this, and that is why, in my time, Ministers were keen to ensure that the matter was addressed. That is why the College of Policing has a role to play, which it is playing, in making sure that the police are more up to speed in tackling cybercrime. It would be incorrect to leave uncorrected the suggestion that the Home Office and the Government have not been active; they have been.
However, the hon. Gentleman is correct to say that the police need to do more than they are doing, and to my knowledge, that is what Home Office Ministers have been asking them to do.

Karen Bradley: I am grateful to the hon. Member for Croydon North for affording me, through new clause 13, the opportunity to speak about the ongoing work that the Government have been doing to tackle cybercrime, and how we are supporting the police in this complex area. I thank my right hon. Friend the Member for Lewes for his comments. He, too, has first-hand experience of the extensive work that the Government are doing in this area.
Online crime is a threat that we take very seriously. Cybercrime was recognised as a tier 1 threat to national security in the 2010 national security strategy—a point that my right hon. Friend the Member for Basingstoke raised. That is why cybercrime is at the heart of our cyber-security strategy. The national cyber-security programme has boosted investment, increased capability and expanded training to improve the law enforcement response.
Tackling cybercrime is also a central feature of the pursue strand of our serious and organised crime strategy. The Government are investing £860 million over five years through the national cyber-security programme, and approximately 10% of that money has been invested in building law enforcement agencies’ capabilities to respond to the threat.
We have invested in the national cyber crime unit in the National Crime Agency; created cyber teams in each of the regional organised crime units; and provided training for officers and local police forces. In particular, the network of regional organised crime units provides access to specialist capabilities at a regional level and provides essential support to local forces on all cyber-related issues. I want to make a couple of points on that. Cybercrime needs specialist skills. We have regional organised crime units where we can locate incredibly technical specialist officers. They are available to all local police forces, since it would be difficult for local forces to provide stand-alone specialist resources. We should all agree that such skills are specialist. They are not the kind of skills that the average person in the street—the average Joe or Josephine Soap—may have, although I am sure that they will be getting that training over the years. They are not skills that everybody has; they are technical and specialist. The fact that we can locate technical specialists in regional organised crime units should reassure us all that our local police forces have access to the best brains, technical ability and skills to help them fight cybercrime.

Steve Reed: Is the Minister aware that Her Majesty’s inspectorate of constabulary states that cybercrime is growing at such a rate that it is becoming relatively commonplace rather than a specialism? The inspectorate would like many more police officers to understand the nature and risks of cybercrime so that they can provide assistance there and then in the locality, rather than always referring such cases to relatively small specialist units. Those units would be swamped if we were to direct all such crimes to them without resourcing them in line with the scale of the growth in such crime.

Karen Bradley: I will come to the HMIC report shortly. We must distinguish between the specialist capabilities and skills needed to deal with incredibly complex cyber-attacks—involving people who have substantial levels of training and skills, often overseas, who are trying to attack our national infrastructure, large organisations and large companies—and ensuring that local front-line police officers understand, when constituents come to them after having lost money in becoming victims of online fraud, how to investigate that, what it means and where to get support.
As we have discussed in previous debates, the investigatory techniques for fraud are the same whether the fraud happens online or in the street, the marketplace or the shop. Money has been stolen from somebody, but it has been possible to do it online. I want to ensure that local police understand that such fraud is still fraud, and the individual experiences the same sense of loss. Even though it happened online rather than in person, it is still fraud. Local police must understand that, but we also need the technical skills required to deal with cyber-dependent crime, which is the high-tech side of cyber.
I pay tribute to the NCA, which last year was involved in two international operations. Operation Tovar involved the FBI and others to tackle the malware Gameover Zeus and Cryptolocker, which many will be aware of. Thanks to the NCA’s work, in conjunction with international partners, many people who would have been affected by that malware were given information to enable them, during the two-week window that the NCA and others created, to install the right anti-virus and anti-malware software to protect themselves. The NCA led an international operation for the first time in Project Disputed, which tackled the Shylock malware. The NCA is a world leader in the field, and it takes on international operations to keep all of us—businesses and individuals—safe online. We should pay tribute to the NCA for that.
It would be remiss of me not to pay tribute to the NCA for its work on Operation Notarise, an operation to deal with child sexual exploitation. The NCA led and co-ordinated that operation with local police forces across the country. Some 700 arrests have resulted directly from that operation. Since its creation in October 2013, the NCA has protected or safeguarded more than 1,300 children. By way of comparison, its predecessor, the Child Exploitation and Online Protection Centre in the Serious Organised Crime Agency unit, protected or safeguarded just 560 children in 2012-13. We can see that the NCA, in its work with international partners and in ensuring that local police forces have the support that they need, is seeing real success. However, there is always more to do. While I will continue to pay tribute to the NCA, I want to see an increase in awareness levels throughout police forces in the UK.
The Government have recognised the threat, prioritised it through national strategies and invested resources accordingly. However, the response to threats in each police force area and consequent allocation of resources are a matter for each chief constable, in consultation with their police and crime commissioner. It is right that police and crime commissioners set the local priorities and objectives and that those are set out in the police and crime plan.
Local priorities are not a matter for central Government to determine; they should be determined locally. To underpin that, cyber-knowledge is needed at the local policing level so that all police officers, not just specialist officers and units, can tackle cybercrime. My right hon. Friend the Member for Lewes, with his personal experience, made that point powerfully.
To assist the development of local capacity, the College of Policing has built cyber-modules into existing training courses and developed a bespoke cyber-course for existing officers, including four e-learning modules on cybercrime aimed at police officers and staff, which give an introduction to cyber, digital and social media. Since the modules were rolled out in 2013, more than 120,000 have been completed.
In addition, the college and police forces have been delivering a classroom-based course to police investigators, which gives them an understanding of how to exploit the intelligence and evidential opportunities offered by technology, social networking and communications data. We also established the police innovation fund in 2013 to incentivise collaboration, support improved police information and communications technology and digital working and enable investment in innovative delivery approaches with the potential to improve policing and deliver further efficiency. We are allocating £70 million to the fund for 2015-16, which will be available to support projects to enhance police capabilities to tackle emerging threats such as those from cybercrime.
The Government have a role in establishing national priorities. The strategic policing requirement articulates the national threats to which local forces must have regard and cybercrime and a large-scale cyber-incident have been identified as national threats in the strategic policing requirement. The hon. Member for Croydon North made reference to the concerns raised in the relevant HMIC inspection reports. I do not agree that they point to failure. Rather, they demonstrate that the system is working. Local priorities are set locally and national threats are set out in the strategic policing requirement.
HMIC is responsible for inspecting against appropriate standards and priorities and that is what has happened. It is for police chiefs and police and crime commissioners to consider the inspection reports in the light of their local circumstances and respond accordingly. That is what they are doing, including on cybercrime.
My right hon. Friend the Member for Basingstoke has spoken about her great interest in this issue. In the UK, we, necessarily, take cyber-threats extremely seriously. The UK has a growing online economy and the internet accounts for 8% of our GDP, so it is important that we work together to maintain people’s confidence in doing business online.
Clearly a lot more still needs to be done to minimise the economic impact of cyber-attacks. The average cost of breaches has nearly doubled. The average cost of the worst security breach for large organisations is now between £600,000 and £1.15 million and for smaller organisations it is between £65,000 and £115,000.
The private sector is the largest economic victim of crime and economic espionage perpetrated through cyberspace and much of the infrastructure that we need to protect in the UK is owned and operated by the private sector. Our approach is to work in partnership with industry to raise awareness of the threat to reputation, revenues and intellectual property from cyber-attack and to promote the measures that businesses can take to address them. That is why we launched a new Government scheme to help businesses to stay safe online: the Cyber Essentials scheme. That provides clarity to organisations on what good cyber-security practice is, and sets out the steps that they need to follow to manage cyber-risks.
Cyber Essentials is a robust, easy to use and cost-effective way to help businesses to protect against the risks of operating online. Organisations will now easily be able to demonstrate that they are cyber-safe, reassuring their clients and boosting confidence and growth. I encourage all organisations to adopt it. I am grateful to my right hon. Friend for raising the point because it has given me the opportunity to describe the scheme. I hope that that will raise awareness and that more businesses will take the opportunity to use the information available.
As to new clause 14, I agree with the hon. Member for Croydon North that we should work with internet service providers to tackle the abhorrent scourge of online child sexual exploitation. Our work with ISPs already shows progress, so we do not believe that legislation is required at this point. We have made it very clear that those who provide services online, particularly where images can be stored, must act to prevent them from being used for the storage or sharing of indecent images of children.
The internet industry operating in the UK has done significant work on a self-regulatory basis to tackle the availability of indecent images of children online. The hon. Gentleman spoke about searching for indecent images. The Government are developing the child abuse image database, which will produce hash sets—numerical identifiers for each image—that will be used to search for images on seized devices and on the internet.
Also, in December, the UK hosted the WePROTECT global summit on online child sexual exploitation. That was attended by delegations from more than 50 countries, 26 leading technology companies and 10 non-governmental organisations. We saw significant examples of the benefits of strong partnership with industry. The major global technology companies—Microsoft, Facebook, Google, Yahoo and Twitter—will take hashes of child sexual abuse images from the Internet Watch Foundation to detect and remove child sexual abuse material from their platforms and services. Companies will continue to work on new solutions, such as the ability for children to report and block self-generated indecent imagery, a tool to identify victims and a tool to identify paedophiles posing as children.
Google has made changes to its search algorithm to prevent images and videos containing child abuse material from appearing in search results. There has been a fivefold reduction in child sexual abuse image-related search queries in the past 12 months. That work is clearly having an impact. Since April 2014, the Internet Watch Foundation has been proactively seeking out child sexual abuse imagery. In 2014 the IWF processed some 70,500 reports, which is a 38% increase on 2013, and took action to get images removed from 27,850 web addresses, which is a 109% increase on the previous year.
My right hon. Friend the Member for Basingstoke asked about the lessons we can learn from child sexual exploitation and applying them to cyber. She is right: like online child sexual exploitation, cybercrime is a global threat requiring a co-ordinated global response by Governments, law enforcement agencies, technology companies and non-governmental organisations. For instance, we need strong partnerships with industry to develop technological solutions that protect both companies and their users.
That is why we work bilaterally with countries and multilateral institutions such as the European Union, the Council of Europe, Europol and Interpol, to ensure that UK objectives on cybercrime are delivered, and that there is effective international co-operation on cybercrime. We are working closely with industry to raise awareness of the threats to revenues and intellectual property from cyber-attack. That has included the publication of Government advice to large businesses and smaller firms on how to improve their online safety.
I want to mention CERT UK, the computer emergency response team. It is responsible in the UK for national cyber-incident management, complementing and building on existing UK capabilities. It links with the international CERT community and provides an authoritative voice for those agencies and organisations that are helping the UK to become more resilient, and so to prosper, in the cyber-age.
Industry has the skills and knowledge to provide technical solutions to assist in the removal of sexual images of children online. We welcomed the commitment at the WePROTECT summit to continue to develop new tools and techniques to improve the detection and removal of images of child sexual abuse. The industry has also committed to support charities that help to protect the victims of abuse and those who work to prevent these crimes through additional funding. That is important because we must always place victims at the heart of our efforts to tackle child sexual exploitation.
We are going even further. Work to tackle indecent images of children will be supported by a new £50 million child protection fund to develop global capacity building to prevent children from experiencing violence and exploitation, and to help those who have been victimised. UNICEF will support the development of the new fund, in close partnership with the UK, other Governments and partners from civil society and the private sector. That work builds on the work that the Government, law enforcement agencies and the Internet Watch Foundation have done over many years to tackle such images. We welcome internet service providers’ continued commitment to fund the IWF to ensure it can increase its remit and effectiveness.
This problem requires a co-ordinated global response that brings Governments, law enforcement agencies, technology companies and non-governmental organisations together. We believe that asking the industry to take action under a self-regulatory structure allows it to contribute to this work more effectively than legislating to require it to do so. We are not persuaded at this point that we would better protect children by placing a legal requirement on companies. Internet service providers are showing real progress in tackling the shocking existence of such appalling images. We will ensure that that progress continues.
The Government recognise that tackling online child sexual exploitation and other forms of cybercrime is one of the most important challenges that the police face today. We will continue to support and invest in the police to ensure that they have the resources and capability to respond to the ever-evolving world of cybercrime. I invite the hon. Member for Croydon North not to press his new clauses.

Question put and agreed to.

Clause 40 accordingly ordered to stand part of the Bill.

Steve Reed: It is entirely my fault, Mr Davies, but I missed the opportunity to respond to the Minister. I intended to press one of the new clauses to a vote.

Philip Davies: The votes on the new clauses will come later, when we dispose of new clauses. The hon. Gentleman will be able to press his new clause to a Division then.

Clause 41 ordered to stand part of the Bill.

Clause 42  - Territorial scope of computer misuse offence

Question proposed, That the clause stand part of the Bill.

Norman Baker: I want to ask the Minister a question. She may be able to answer it now; if not, she can do so at a later stage. Clause 42 relates to the territorial scope of computer misuse offence. Sensibly, it deals with UK nationals who are outside the country at the time that the offence was committed. There are obviously people who are resident in the UK who are not UK nationals. I hope that the law can also capture people who commit an offence and have the right to remain in the country but are not UK nationals. It would be an unfortunate loophole if those people were not covered.

Karen Bradley: I thank my right hon. Friend for that question. My understanding is that they are caught by the law, but I will write to him to give full clarity to that point.

Question put and agreed to.

Clause 42 accordingly ordered to stand part of the Bill.

Clauses 43 to 45 ordered to stand part of the Bill.

Schedule 1 agreed to.

Clauses 46 to 49 ordered to stand part of the Bill.

Ordered, That further consideration be now adjourned. —(Damian Hinds.)

Adjourned till Thursday 15 January at half-past Eleven o’clock.
Written evidence reported to the House
SC 01 NSPCC
SC 02 Paul West, Jessica de Grazia, David Bethom, and Alistair Richardson
SC 03 British Transport Police
SC 04 Royal College of Nursing